beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
872038d0c9f6ac1b89b9c91d861a807c3e2637b6
docker/core/traefik/MTLS.md
T
beatz174-bit 24047b0eaa Enforce mTLS on private-admin Traefik routes
2026-04-13 12:05:43 +10:00

1.2 KiB
Raw Blame History

Private-admin mTLS for Traefik

private-admin routers are configured to require client certificates via the Traefik TLS option mtls-private-admin@file.

Certificate paths

  • Trusted client CA bundle expected by Traefik:
    • core/traefik/certs/ca/clients-ca.crt
  • CA private key (keep secret, never commit):
    • core/traefik/certs/ca/clients-ca.key
  • Issued client certs:
    • core/traefik/certs/clients/<client-name>/

Bootstrap

From repository root:

./core/traefik/scripts/init-mtls-ca.sh
./core/traefik/scripts/issue-mtls-client-cert.sh admin-laptop

The second command exports a PKCS#12 bundle (.p12) for browser import and also leaves PEM .crt/.key artifacts for CLI usage.

Revocation workflow

Because Traefik is configured with clientAuth.caFiles, revoked cert serials are not enforced by default.

  • Use ./core/traefik/scripts/revoke-mtls-client-cert.sh <client-name> to quarantine a client cert bundle.
  • For strict revocation, rotate the CA (init-mtls-ca.sh after removing old CA) and re-issue all trusted client certs.

Deploy

After CA/certs are in place, restart Traefik to ensure updated files are loaded:

docker compose -f core/traefik/docker-compose.yml up -d traefik
Reference in New Issue View Git Blame Copy Permalink